Re: ssh2 login without password

Igor Sovin · ‎04-17-2005

Hi
I need to login from my client on HP-UX into server (also HP-UX) without providing password, using ssh2.
I've generated dsa and rsa keys using ssh-keygen on client, then I've created file authorized_keys in /.ssh/ on server, and have copied client's file id_dsa.pub to /.ssh/authorized_keys. As described in manual after that action I would be granted to server without promting password, but
I still get a promt to provide password.
What did I do wrong?

thanx

Tom Ward_1 · ‎04-17-2005

Hello Igor,

Try connecting with "ssh -v host". It may give you information about the problem. Also check the permissions on your .ssh directory and the files within. I've seen ssh not trust keys when the permissions are too loose.

Good luck,
Tom

Alex Lavrov. · ‎04-17-2005

Here are some good tutorials:
http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/
http://www.ifi.uio.no/in228/scripting/doc/ssh-no-password.html

Be sure you didn't miss something. Also check ssh configuraion file, sometimes authorized keys file is configured to be "authorized_keys2". I had this problem once, took a while to find.

I don't give a damn for a man that can only spell a word one way. (M. Twain)

Joe Harrison_1 · ‎04-18-2005

(server)$ cd /home/
(server)$ ssh-keygen -t dsa -f id_dsa
(server)$ cat id_dsa.pub >> .ssh/authorized_keys
(server)$ scp id_dsa @:
(server)$ chmod 750 /home/
(server)$ chmod 700 /home//.ssh
(server)$ chmod 600 /home//.ssh/*
(client)$ cd /home/
(client)$ mv id_dsa .ssh/
(client)$ chmod 750 /home/
(client)$ chmod 700 /home//.ssh/
(client)$ chmod 600 /home//.ssh/*
(client)$ ssh @

Joe Harrison_1 · ‎04-18-2005

(server)$ scp id_dsa @:

Igor Sovin · ‎04-18-2005

Permissions are okay
I've read the given links, I did exactly the same things as described in these documents.

I did the same om another host with the same OS and same version of Secure Shell, everything worked perfect.
Dont know what to do...

Alex Lavrov. · ‎04-18-2005

Did you check in ssh configuration file, that the file for quthorized keys is indeed "authorized_keys" and not "authorized_keys2"?

I don't give a damn for a man that can only spell a word one way. (M. Twain)

wip · ‎04-18-2005

What Version of SSH are you using ?What is the settings in /etc/sshd_cocnfig file.Do you have a centrlised user authentication software installed.It depends on this

Igor Sovin · ‎04-18-2005

version of Secure Shell is A.03.10.007 on client and on server.

Alex Lavrov. · ‎04-18-2005

What about settings in sshd config file?

I don't give a damn for a man that can only spell a word one way. (M. Twain)

Igor Sovin · ‎04-18-2005

my sshd_config

$OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin

# The strategy used for options in the default sshd_config shipped with
# HP-UX Secure Shell is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#
# WARNING: enabling protocol 1 will cause HP-UX Secure Shell vulnerable
# to security attacks. It is strongly recommended NOT to enable protocol 1.
# Use "2,1" to notify sshd to use version 2 and fall back to version 1 if
# version 2 is not available. The default is "2".
#
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# From A.03.10.005 onwards
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server

Alex Lavrov. · ‎04-18-2005

AS I thought:
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

This section is commented, so sshd ignore authorized_key file.

Uncomment it and restart sshd.

I don't give a damn for a man that can only spell a word one way. (M. Twain)

Andrew Cowan · ‎04-18-2005

Check that both hosts know one another by the names that you think they do. Ssh into the target box and do a "whoami" and ensure that the hostname supplied is exactly the same as the one in "authorized_keys" because if it doesn't then SSH assumes you don't have a public key.

The other major problem is when you inadvertantly put carriage returns into the "authorized_keys" file.

Ermin Borovac · ‎04-18-2005

To test if it's permission problem set StrictModes parameter in sshd_config to 'no' or run sshd as follows.

# sshd -p 22222 -o'StrictModes no'
# ssh -p 22222

If that works then you know that directory permissions are incorrect and you can troubleshoot further.

Nguyen Anh Tien · ‎04-18-2005

You need to refer these links:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=244540

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=822731

tienna

HP is simple

Igor Sovin · ‎04-18-2005

Uncommenting the sections adviced above didnt help

Hosts know each other and file known_hosts is ok.

the output of # sshd -p 22222 -o'StrictModes no' gave nothing

my ssh passwordless connection seems to be big problem ... hm, so why on other hosts everything is ok, configurations of ssh, permissions, etc. are the same.
I wonder what the problem could be?

Alex Lavrov. · ‎04-18-2005

Did you restart sshd? (kill -1 )

I don't give a damn for a man that can only spell a word one way. (M. Twain)

Igor Sovin · ‎04-18-2005

yes, I restarted sshd

Ermin Borovac · ‎04-19-2005

Does account you are trying to login to have a password assigned (i.e. can you telnet to it)? If it has '*' in encrypted password field you won't be able to do passwordless ssh login as it will consider account as locked.

I suggest you check your permissions again. Not only on $HOME but also on all parent directories and /tmp. For example if $HOME is /home/ you should make sure that

/ and /home are owned by root and not group/world writable (e.g. 755)
/tmp should be 1777
/home/ and /home//.ssh are owned by and not group/world writable
None of the files in /home//.ssh should be group/world writable.

Igor Sovin · ‎04-19-2005

Thank you all for answers!

The problem was so stupid, user account on server was deactivated due to 3 unsuccessful login attempts.
I reactivated it and everything gone wright.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: ssh2 login without password

ssh2 login without password